A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Bro, I Can See You Moving Laterally - Richie Cyrus BSides NOVA 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Bro, I Can See You Moving Laterally
Richie Cyrus
BSides NOVA 2017

Post-compromise, threat actors are using the Server Message Block (SMB) protocol to move laterally and carry out their objectives. How does an organization go about detecting this activity designed to blend in with normal traffic? Enabling Windows event logs to audit access to file shares may assist in detection. However, sifting through the sheer volume of logs created during normal day to day operations is not ideal. Actors may also move malware from share to share, undetected by an organization’s particular anti-virus solution. Bro Network Security Monitor provides the functionality and flexibility needed to detect some of these techniques on the wire. This session is designed to show defenders the capability of Bro to detect malicious SMB activity, specifically during lateral movement. The scripts and examples introduced can be used right away in environments with Bro deployed.

Richie Cyrus is an Incident Responder at CME Group with five years of security experience, primarily focused in the areas of digital forensics, incident response, and intrusion detection. He holds a number of security certifications to include GREM, GCFE, GCIH, GWAPT, CISSP and GCIA. He is also pursuing a masters degree in Information Security Engineering at SANS Technology Institute.

rrcyrus

Back to BSides NOVA 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast